Over the years, WordPress has increasing number of vulnerabilities. Believe me it has quite interesting stats. Below I mentioned 20+ basic tips to protect your WordPress blog. I omitted some tips because I considered them too complicated to apply (for newbies). Sorry!
1. Upgrade : Golden Tip. The latest version of WordPress always contains patches and bugs fixes for the security holes. Therefore it is important to keep your blog updated with latest version. It is also recommended to upgrade all the plugins and themes you use.
2. Change Username : It is one of the most elementary security measures for preventing it from being hacked. Change the default WP username admin. If you still use this username, you are indirectly helping the hackers, trust me. Change it into a difficult and memorable username. You can check the below tutorial for changing the username.
TUTORIAL : 3 ways to Change WordPress Default Username
3. Hide Plugins : Create an empty index.html file and upload to wp-content/plugins/. By this you are protecting your WordPress plugins directory. In other words, no one can access your plugins. Hackers can easily hack your blog if they discover an out-of-the-date or vulnerable plugin. You can also create .htaccess file and upload.
Update : New versions of WordPress already contain index.php in different folders like themes, plugins, uploads etc. (Thanks Usman)
MUST READ : Introduction to HTACCESS for Newbies
4. Remove WordPress Version : It is better to remove the WordPress version which is included in most of the themes by default. Even many WordPress developers often display them. Displaying the version info will help the attackers to exploit known vulnerabilities on a particular WordPress version. Check the tutorial to remove them correctly.
5. Registration : Disable registering feature unless you have a revenue sharing blog or a blog with Guest Blogging feature. To Disable it go to General Settings page | turn off Anyone can register option.
6. Akismet : Automattic Kismet (Akismet for short) is a collaborative effort to make comment and trackback spam a non-issue and restore innocence to blogging, so you never have to worry about spam again. If your blog is not protected by Akismet, download it now.
7. Captcha : CAPTCHA is an acronym for “Completely Automated Public Turing test to tell Computers and Human Apart”. A CAPTCHA is a program that can tell whether its user is a human or a computer. CAPTCHAs are used by many websites to prevent abuse from “bots,” or automated programs usually written to generate spam. You can use reCAPTCHA to stop spam.
8. Stealth Login : Stealth Login allows you to create custom URLs for logging in, logging out, administration and registering for your WordPress blog. Even if your password is leaked out, the hacker will have to suffer figuring out the login page. You can prevent malicious bots from accessing your wp-login.php file. Download Stealth Login plugin.
9. WP API Keys : Using these API keys you can use services and enhancements built on the WordPress.com platform. This allows you to leverage the power of WordPress.com even if you host your blog elsewhere. You should not share your API key, it is like a password. To get one, you have to sign up for a free WP.com account.
EXAMPLE : By installing Akismet, anti-spam service and entering your WP.com API key, your blog will be protected from spam the same way every blog on WP.com is.
10. Remove or Disable : You would have tried lot of themes and plugins for checking the functionality, but you would not have disabled or removed it. Remove all those craps at once. Hackers can find a way exploit to them, even if you are not using them.
11. Hardening WordPress : You can harden WordPress software too. You can read this Hardening WordPress document. They cover aspects like securing wp-config and MySQL, setting up file permission and son on.
12. Security Updates : You can subscribe to the WordPress Development blog. When they patch a security hole or release a new version, they’ll usually announce it on their Development Blog. Upgrade and apply them as soon as possible.
13. Use Role Manager and Sabre : Many blogs allow their readers to comment only if they are registered. You can use Sabre plugin to prevent fake registration by bots. It adds image verification or math test in registration. You can also use Role Manager plugin to define the capabilities for the users. You can also control what the users can do and cannot do in your blog.
14. Protect Your Content : You should protect your blog in terms of content also. To get a detailed explanation, you can check Prevent Content Theft guide from WordPress.com.
15. Adieu Spammer : You can suspend the IP addresses of the spammer so that they can’t spam/comment further. You can use Bad Behavior plugin for that. They check the visitor’s IP to mark it as a spammer or not. You can try WP-Ban to display a custom ban message when someone from banned IP tries to visit you blog. They also allow you to exclude certain IPs from being banned.
16. From Matt Cutts : Matt Cutts gives you three easy but important ways to protect yourself if you run a WordPress blog. You can read his Three Tips To Protect Your WordPress Installation.
18. Secure Source : Yes. Always download the themes and plugins from trusted source. It is recommended to check the identity of the owner and popularity of the theme, plugin, and the site.
19. FTP and Backup : Always keep back up of your blog’s files and database. It is a MUST for every blogger. FTP the blog contents to your system regularly. Taking manual backups are tedious tasks. So I recommend you to use WP Database Backup. Even if your database is compromised, you can restore it with the help of back up. Use a secure FTP Client.
20. Read More : I just mentioned the current basic tips to protect your blog. Please also read other blogs to find more interesting and easy measures to protect your WordPress Blog.
21. Password : Last but not least. Don’t think it is difficult to break or guess a password. By keeping a hard and difficult password you can protect your blog to the core. You can use Microsoft’s free web-based tool, Password Checker, for finding the strength of your password. Check the tips for Creating Secure And Strong Passwords.
22. Login Using Email: WP-Email Login plugin will be essential for you in this. Use your email address instead of a username to log into your WordPress. You can also set your username to some random name and then just forget it and use your email address instead for better security.
MUST READ :
Having any other basic tips to protect WordPress blogs? Please feel free to share it here!